decryptStrategyOnce
Strict / airgapped strictness only. Verifies the supplied
passphrase against the org's stored verifier, derives the KEK
in-process, decrypts the named strategy's encrypted IP fields
(code + config + uiBuilderConfig + analysis), zeros the KEK,
emits a secrets.passphrase.decrypt_once audit event, and
returns the plaintext payload.
Returns errors:
- STRICTNESS_DOES_NOT_REQUIRE_PER_ACTION — caller's org is on convenience or standard strictness; dashboard should fall back to UnlockModal.
- NO_PASSPHRASE_VERIFIER — the org has no passphrase configured.
- WRONG_PASSPHRASE — the supplied passphrase does not match.
Each error path emits a denied audit row with a structured denied_reason so admins can see brute-force patterns on per-action prompts.
decryptStrategyOnce(
strategyID: ID!
passphrase: String!
): Strategy!
Arguments
decryptStrategyOnce.strategyID ● ID! non-null scalar
Strategy ID to decrypt.
decryptStrategyOnce.passphrase ● String! non-null scalar
Plaintext passphrase. Never logged. Zeroed after the operation.